Getting Data In

Univeral forwarder not forwarding

systemsatpayzon
Path Finder

I have a problem with a universal forwarder as i configured on a domain controller to use with splunk app for active directory. The forwarder is not forwarding anything. what i have done so far:
1. installed the forwarder to gather remote data and used an domain admin account. i did not check any of the checkboxes during the installation. but i typed in the reciving indexer when asked for
2. i have downloaded and copied the folders Splunk_TA_windows, TA-DNSServer-NT6 and TA-DomainController-NT6 to the apps directory on the universal forwarder
3. I have put a inputs.conf file under Splunk_TA_windows\local folder and then restarted the forwarder

But noting is sent to indexer. I am sure that there is no firewall or anything like that blocking because i first installed the forwarder as usual and checked the security log input in the installation wizard (after reading the manual about splunk app for active directory i uninstalled it) and saw that events where sent to and recieved by the indexer.

0 Karma

systemsatpayzon
Path Finder

When i removed the app folder TA-DNSServer-NT6 from splunk and restarted splunk it starts to forward events! the server is a DC with ad integrated DNS.

0 Karma

starcher
SplunkTrust
SplunkTrust

I would double check your inputs.conf file under your Splunk_TA_Windows app. Personally I always copy the inputs.conf from the default to the local folder then edit the stanzas for the appropriate event viewer containers and add the line index=... where you specify the index you want the logs to go into assuming you are not sending them to the default index.

You did not mention setting up an outputs.conf to point to your indexer. Though if 192.168.19.47 is your indexer then you probably did that.

0 Karma

systemsatpayzon
Path Finder

thanks for the tips.. here is a snippet from my inputs.conf found in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local

[default]

evt_dc_name =

evt_dns_name =

OS Logs

[WinEventLog:Application]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

[WinEventLog:Security]

disabled = 0

start_from = oldest

current_only = 0

evt_resolve_ad_obj = 1

checkpointInterval = 5

[WinEventLog:System]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

0 Karma

systemsatpayzon
Path Finder

[EDIT2]

Domain and dns information seems to be sent to the indexer, but not any logs from the security, application or system event log

0 Karma

systemsatpayzon
Path Finder

What should i look for? the rows below seems suspicious..

6-12-2013 12:17:13.440 +0200 ERROR TcpOutputFd - Read error. Either the application has not called WSAStartup, or WSAStartup failed.
06-12-2013 12:17:13.440 +0200 INFO TcpOutputProc - Connection to 192.168.19.47:9997 closed. Read error. Either the application has not called WSAStartup, or WSAStartup failed.

[EDIT]
further down this message is written, so i guess that there are no connection problem
INFO TcpOutputProc - Connected to idx=192.168.19.47:9997

0 Karma

MHibbin
Influencer

Have you seen anything in the logs on the universal forwarder?

$SPLUNK_HOME\var\log\splunk\splunkd.log

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...